laplas | 1863e62e713302b15c27801878cc1a085e6e0382bd4cc719e2ecb254d0a43051

General

Target

setup.exe
Size

1.9MB
MD5

eaa8dbc48c3f6d5a935141690bed014c
SHA1

5778105a7e42446503dbfc69cbbd20bfd148f444
SHA256

1863e62e713302b15c27801878cc1a085e6e0382bd4cc719e2ecb254d0a43051
SHA512

267e2592dc91cd63ee64824cfc63fe1a42629eac6b35ea7fc5be2169cb8a3d7c6e74b41831f96bfbd87b54ac4d97484e74fddefb2465271ba3f442043f11a111
SSDEEP

24576:dVPcOBkwVC63STHaiNdh8fB8dmwJVoYIlpQI0gneH3Lwk0zcdfKkQE/VQmwzQcGK:dv9LkxdKf25gneH3LwXYKkkXQeoP1w

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Executes dropped EXE 1 IoCs

Processes:

ntlhost.exe

pid process

1240 ntlhost.exe
Loads dropped DLL 5 IoCs

Processes:

setup.exentlhost.exe

pid process

1988 setup.exe
1988 setup.exe
1240 ntlhost.exe
1240 ntlhost.exe
1240 ntlhost.exe

pid	process
1240	ntlhost.exe

pid	process
1988	setup.exe
1988	setup.exe
1240	ntlhost.exe
1240	ntlhost.exe
1240	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 1 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

setup.exe

description	pid	process	target process
PID 1988 wrote to memory of 1240	1988	setup.exe	ntlhost.exe
PID 1988 wrote to memory of 1240	1988	setup.exe	ntlhost.exe
PID 1988 wrote to memory of 1240	1988	setup.exe	ntlhost.exe
PID 1988 wrote to memory of 1240	1988	setup.exe	ntlhost.exe
PID 1988 wrote to memory of 1240	1988	setup.exe	ntlhost.exe
PID 1988 wrote to memory of 1240	1988	setup.exe	ntlhost.exe
PID 1988 wrote to memory of 1240	1988	setup.exe	ntlhost.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
258.3MB

MD5
c0e13c78c07fd6d43328384710a65437

SHA1
fa6b0f277dac316974ad87b6d3b7fb3ed8995a4b

SHA256
f414ea5c4ada2fae47fd508f78013118fc6f9c72225bad0c976678d1f29fe9d8

SHA512
0ae3eac25b138aede337228d546be5a4ee2cafada2f5da17a420822873eadce78a3795dc7cf2d634105e1f6f96813267523f545ea854f6249fa6747c3adc9d36

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
241.9MB

MD5
f0707e5a2c28c021b671ffbb1b985da0

SHA1
4e000bdce796e822659bf80e558d40f97782e02b

SHA256
cc301eab37501579fb118b2778b246c72b3e4bf39823e2fd01770980d2094ee8

SHA512
5a78553d0ee6bfce6174b2c52f505ad8be41891a19cba4e94523a7375389e179766f15b0365fef3b8921a6f56e5cc7c7c699d8fa135c30ec865c0ad6627c3f00

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
262.8MB

MD5
97d92fcb516289af18f6004272f48d1b

SHA1
41175ac907398e6f7934db3e1d9e608d39924669

SHA256
1f3746327377d15c7fc30a8d27185ec2d95ca0bb2bb06b05a180189abef58681

SHA512
f0cfbd0a18f3fc024ebe7777de62815b7a19c93ec3d0848b987069529de6a6f0c2eccdc9a913ee95cf98ab14680729fb4ae37009d2fb14072739f16a5d77eea6

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
182.6MB

MD5
b6d2c83a94ac1d3380e33edf39593e02

SHA1
0a9edf73c9a3cbbdaddbb80eab750f73cb4d33c4

SHA256
a45c427a99353dcc892625f0a552f27f7cae6b41f355da963d4ed9700735fafc

SHA512
352850f8b8bd1b88a1b042ddd951df2249a47f3c918c232ac3379b730aeacaccf87ed441c1f89d8841c31facdce5b9d7585221b198cce727b944c2d5c5a2efdd

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
182.4MB

MD5
f753621e08d77db4b3af5d9892123806

SHA1
1df235435a38a290fd6ab669125a80cb17337e50

SHA256
783264cf05bda2d76138c419959a3abc0f2d67c821bb5f7c35461a236f18e336

SHA512
89895fadc70714f392e993701621f36996106c2d10422a05a1f2541df419541a0eb65f4eeac52974d41d0b828a9d645c24a776f4a409d12a742141b557c235cd

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
256.5MB

MD5
50abf1a5f39bd3c9ab00981fc7ff1c40

SHA1
89e2f3a3dfdda06ee7dbda08367c58f6d30bde23

SHA256
82768ba37747c67cb5e2636a522a6730e9bc8db2ed302b847059a9b4e9163744

SHA512
d8f50e2e886e3a93c6b164e7448c41b5abbe10a2890d288c02bd795bff68a39c3109861ede6e485d479954f210e89bf9f4fbcba6753bd134270ac7de1d74ca0c

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
255.8MB

MD5
1a1c6677e77e0a560cc6fea83f9ca1d2

SHA1
41b95347483002154e45fc55e6dda445c58c78f8

SHA256
3c0b195904626a882a42683f5c340fa2c2746f2566b974657fcb10d603b11a91

SHA512
50cac9eef8450f5d9225cb84fb9b3d20698696189a1c21b59708b7b7c23efc2e79cd33d077d6159dbc3073d10c2610051f47c9dfe5c8452424d9980641c631e3

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
258.7MB

MD5
4ba6a9913e061fefc8e866df7dfb960f

SHA1
5397925781d7a9cba210e998ce332318545a18b9

SHA256
3eb5b36e7dab184a5fd9abf0e12be380706b20c1101e37d59c4d34111c922429

SHA512
5ce9eb5474a22f987419e44d5b687002705b6f5ff09bf015d2caf8e58f86bb3d507ef62c7a1b36a82b114fcbf3e0c50c62b9a4a7da759bd5e7cff70019905ed0

Download Submit
memory/1240-70-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1240-78-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1240-83-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1240-69-0x0000000002410000-0x00000000025BA000-memory.dmp

Filesize
1.7MB

Download
memory/1240-82-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1240-71-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1240-72-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1240-75-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1240-76-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1240-77-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1240-81-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1240-79-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1240-80-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1988-65-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1988-54-0x00000000022F0000-0x000000000249A000-memory.dmp

Filesize
1.7MB

Download
memory/1988-55-0x00000000024A0000-0x0000000002870000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing